I use snort/acid/guardian at home and have had no problems with the combo in the past 8 or 10 months. Adding guardian to the mix is nice in that it simply drops traffic from sites that snort detects "attacks" from. This is more of a bandwidth saver than protection though. The stock e-smith package is pretty bulletproof. Snort does eat quite a bit of hard disk space with it's alert logs if you don't clean them out regularly.
I had to disable guardian on the system at work because it was blocking access from/to customers and vendors. Some sysadmins set their web/mail servers up to do rude things to verify our system isn't vulnerable to various attacks before allowing a connection. Sites can be added to guardians ignore file but that requires we be notified of a connection failure and our management won't allow for that. With guardian disabled, snort and acid are of less value. Manually sifting through the snort log is just not an activity I can spend time on. It's nice to see that the server is surviving continuous attack from all quarters but I can accept that fact without the cpu overhead and disk space requirements of snort.
Snort and acid are fun and give you that warm fuzzy feeling that the e-Smith distro is pretty secure. Without guardian, the fun quickly becomes a time consuming chore. I highly recomend snort/acid/guardian if you can work with occasional site that needs to be put in the guardian.ignore file.
5 Replies
2005 Views